Case Analysis: Global Payments Breach

Cost of Security Breach3 Closer Look at Control Issues4 Steps to mitigate data breach4 Conclusion6 References6 Executive Summary A data breach at a credit card payments processing firm Global Payments potentially impacted 1. 5 million credit and debit card numbers from major card brands Visa, MasterCard, Discover and American Express (money. cnn. com) in April 2012. Company Background Founded in 1967, Global Payments (NYSE:GPN) is one of the largest electronic transaction processing company based out of Atlanta, GA and operations in several European and APAC regions.

The company provides business-to-business card payment and processing solutions for major card issuers such as Visa, Master Card, Amex and Discover. The company also performs terminal management and electronic check conversion. Security Breach Exactly a year ago, in March 2012 the company was hit by a massive security breach of its credit card payment processing servers impacting more than 1. 5 million customers (nytimes. com).

The company reported unauthorized access to its processing system resulting in data transfer of 1,500,000 card numbers.

According to the company report, data stolen includes name, social security number and the business bank account designated for payment processing or deposit services. As a result of unauthorized access to the company’s servers millions of customer confidential records got exported. Cost of Security Breach While this data breach is not the largest of the cases, Global Payments data breach turned out to be a $93. 9 million deal according to the company’s Jan 8th 2013 quarterly report (bankinfosecurity. com).

... a video card works. The video card is a circuit, which is responsible for processing the special video data from the central processing unit (CPU ... 8 MB video RAM. The video RAM are the Matrox company authorized WRAM. Ital so has a powerful 220 MHz RAMDAC ... is used in the Martox card instead of the VRAM. The WRAM is developed by the Martox company. It is such like ...

The company hired a qualified security assessor (QSA) that conducted an independent review of the PCI-DSS compliance of Global Payments systems and advised many remediation steps for its systems and processes. The company also paid fines related to non-compliance and has reached to an understanding with several card networks. The majority of the expenses, $60 million were originated out of professional fees while $35. 9 million was estimated to be fraud losses, fines and other charges imposed by credit and debit card networks.

However the company received $2 million in insurance recoveries. There could be additional expenses of $25 to $35 million in reminder of 2013 due to investigation, remediation and PCI compliance. Closer Look at Control Issues While the company would like to conceal finer details of the investigation a closer look into this case clearly reveals a fraud triangle of pressure, rationalization and opportunity. It is highly likely that an insider played a major role in exposing security vulnerabilities of the company’s information technology systems and lack of proper monitoring mechanisms.

Lack of proper internal controls resulted in the insider making use of the opportunity to commit fraud. The case clearly indicates that either system monitoring mechanism was inadequate and could not prevent the data thief to get access to PCI data. It is not clear whether high level data encryption was implemented for personal data such as social security numbers and bank accounts. Steps to mitigate data breach A number of precautionary and data protection measures should be taken to ensure PCI compliance and prevent such a massive data theft (sans. rg).

... companies face the increased enforcement of regulatory requirements to ensure patients of their personal information secure. The key steps to achieving data security ... , such as Social Security numbers, credit card and insurance account information. Audits cut down on data breaches and can trace ... name, date of birth and credit card numbers. This information can easily be stolen from someone who seeks ...

1. Establish multiple levels of data security specifically for personal information such as customer account numbers, social security numbers, customer addresses, phone numbers etc. , This includes creating authorization algorithms and every data retrieval gets logged and reported. 2. The data should be encrypted by utilizing best of data encryption methodologies to protect both data at rest and in transit. Data at rest is the information residing in database and file servers and even in personal computers. On the ther hand, data in transit refers to data moving across local and wide area networks. 3. Identifying all the sensitive data that needs encryption is the first step in protecting data based on the data classification policies. 4. Locate data at rest and data in motion and then apply techniques such as eradication i. e. removal of unnecessary data lying in file systems or personal PCs; obfuscation of data to ensure it is not in readily readable format and finally encrypt by employing industry standard data encryption techniques. 5. Follow PCI-DSS requirements for financial data . PIN blocks, CVV2 and CVC2 card verification data cannot be stored at any time. b. All sensitive information must be encrypted during transmission over networks that are main targets for hackers. c. Ensure that security related technology is resistant to tampering and do not disclose any security related documentation. d. Ensure sound and practical policies around data generation, updates, deletion, storage and archival of cryptographic keys e. Ensure that data exchange is conducted over a trusted path that follows high controls and confirms to authenticity of content.

Conclusion The numbers of cyber threats are increasing at an alarming level and a small overlook on company’s behalf is enough for hackers to steal confidential data and put consumers at risk. In today’s high tech world of information technology customers information is at high risk of breach and any company both private or public involved in dealing with financial data has to ensure highest level of regulatory compliance to protect consumers interest, maintain their trust and finally run as an ongoing concern References 1.

... disks and floppy disks for confidential information (Cole, & Krutz, 2005). Data integrity should be observed to ensure information stored is as original especially ... monitor the traffic. Sniffing unsecured traffic is poison for logical security. A sniffer can also be used legitimately or illegitimately to ...

Similar Papers

... -233-million-to-california-95036539. html The Boeing Company, 2010. Corporate Information Snapshots. ... Space and Security Defense and other With the increasing number of passengers ... sources were found from where data was collected; therefore the purpose ...

... to store important data. All this information will be backed ... server and ensure all the proper security patches are ... System Network SetupCostSampling of Companies Possible Future Trends Global ... cabling, and wireless PCMCIA cards. We want to make sure ...

... information security breach and suggested that as much as 70 million credit card information had been stolen. Target Data Breach ... of the company information to be ... ensure that consumer data is protected as much as possible. As information security ...